PERILS OF COMPUTER SECURITY

Consider a typical academic scenario: A student breaks into the computer system, violating computer security of the institution. He cracks passwords, sniffs passwords, deletes log files, logs into other users' accounts in an unauthorized fashion, steals network services from Computer Science Department, and commits several other such crimes. He is then caught. But very often, the administration of academic institutes is either not sensitive to computer crimes, or does not care. And the punishment recommended for this student is rather mild, and hardly a deterrent for others who may indulge in similar crimes.

This puts the entire responsibility of securing one's files on one's own shoulder. It is like the government telling its citizens that security is one's own business, and one should hire a personal bodyguard, and police/courts won't come to the rescue of an individual. In our typical example, suddenly the faculty members get worried about whether their exam papers can be leaked out, and whether grades can be changed in the academic office. And suddenly the matter becomes more serious.

Such cases can happen anywhere. This has led to a heightened awareness of computer security issues amongst the common users. So, what are the solutions? Thankfully, there are steps that individual users can take to ensure better security. Let us first identify methods by which someone can make an unauthorized access to your file.

1. You have unknowingly permitted access to your file.

2. You have a simple password. Someone guesses it, logs into the system under your identity, and accesses the file.

3. Someone breaks into your account by some more complicated method (like reading the password from the wire that carries all the keystrokes you type).

Access Control

To safeguard yourself against the first kind of attack, you need to understand the file access modes. In Unix, one can assign access rights to "oneself", to a group of users, and to the rest of the world. The rights are of three types: reading, writing, and executing the file. In all there are nine different permissions that one can set. The command to set appropriate permissions is "chmod". I suggest that you read the manual page of this command and become familiar with all possibilities. To read the manual page, give the command "man chmod" on any Unix system. The other command that one should learn about is, "umask". This sets the default access rights for a new file. One should by default not give any access rights to anyone. To do that, one can give the command "umask 077". Since this command needs to be given every time one logs in, it is a good idea to add this command to your login initialization file. You would have a file called .profile or .cshrc in your login directory, where you can add this command.

Passwords

To safeguard yourself against the second type of attack, you should not use a simple password. Today, on a Pentium class computer, a password cracker program (which guesses your password, encrypts it, and compares it with the encrypted version of the password stored in the system) can guess hundreds of passwords every second. These programs guess dictionary words, proper names, any sequence of small case letters or upper case letters, etc. Therefore, your password should have at least one small case letter, one upper case letter, and one digit or punctuation mark. The password should be preferably 8 characters in length (since that is the longest password permitted in our systems). If we follow all these suggestions, how do we remember our password? One possibility is to think of a phrase, and take the first letter of all words in that phrase. For example, consider the phrase, "My daughter's birthday is on 24th October." I can take the first letters, and come up with the password "Mdbio24O".

One should never share one's account with any one, not even one's family members, PhD students, lab staff, etc. If you ever have to give your password to anyone under some emergency condition, change it at the first available opportunity. Don't write your password on a piece of paper. You have to memorize it. Change your password frequently. Once a semester is an absolute must. Don't give your password to even the system staff. Remember, they don't need to know your password to access your account. They have the superuser privileges.

Breaking In

To safeguard yourself from the third kind of attack (that is, despite all your precautions, someone is able to login under your identity), one has to keep the important files encrypted, and keep backup copies of your important files. (Most Computer Centres take daily backups anyway.) If you encrypt the files, the criminal may delete your files (which you can recover from the backup), but can't view the contents in those files. To encrypt/decrypt the files, the command to be used is: "crypt". The command can be used for both encryption and decryption. The syntax is as follows:

crypt < infile > outfile

If the input file is plain text, then the output file will be encrypted. If the input file is encrypted, then the output file will be in plain text. When you give the command, it will ask you for a key. The same key will be used for decryption as the one used for encryption.

Finally . . .

If the suggestions made above are adhered to, it will make life of computer criminals lot more difficult, and you can be at peace knowing that nobody has access to the question paper that you prepared two days before the examination.

Dheeraj Sanghi

Department of Computer Science & Engineering

IIT Kanpur, Kanpur 208016

Telephone: (0512) 59 7077;

e-mail: dheeraj@iitk.ac.in

[back] [next]